Terraform AWS Elasticache

Redis or Memcached clusters and replication groups with subnet groups, security groups, transit and at rest encryption, auth tokens, parameter groups, and automatic failover.

Controls enforced

These compliance controls are checked at terraform plan time.

ElastiCache Redis clusters should have automatic backups enabled with a retention period of 15 days or greater(low effort)
ElastiCache for Redis replication groups should have automatic failover enabled(low effort)
ElastiCache for Redis replication groups should be encrypted at rest(low effort)
ElastiCache for Redis replication groups should be encrypted with CMK(low effort)
ElastiCache for Redis replication groups should be encrypted in transit(low effort)
ElastiCache for Redis replication groups before version 6.0 should use Redis Auth(low effort)

Quick start

module "elasticache" {
  source  = "iso27001.compliance.tf/terraform-aws-modules/elasticache/aws"
  version = "1.0"

  # ... your arguments here
}

module "elasticache" {
  source  = "nistcsf.compliance.tf/terraform-aws-modules/elasticache/aws"
  version = "1.0"

  # ... your arguments here
}

module "elasticache" {
  source  = "pcidss.compliance.tf/terraform-aws-modules/elasticache/aws"
  version = "1.0"

  # ... your arguments here
}

module "elasticache" {
  source  = "nis2.compliance.tf/terraform-aws-modules/elasticache/aws"
  version = "1.0"

  # ... your arguments here
}

module "elasticache" {
  source  = "soc2.compliance.tf/terraform-aws-modules/elasticache/aws"
  version = "1.0"

  # ... your arguments here
}

module "elasticache" {
  source  = "acscessentialeight.compliance.tf/terraform-aws-modules/elasticache/aws"
  version = "1.0"

  # ... your arguments here
}

module "elasticache" {
  source  = "cfrpart11.compliance.tf/terraform-aws-modules/elasticache/aws"
  version = "1.0"

  # ... your arguments here
}

module "elasticache" {
  source  = "cisv80ig1.compliance.tf/terraform-aws-modules/elasticache/aws"
  version = "1.0"

  # ... your arguments here
}

See the Get Started guide and Registry Endpoints for details on how to customize the module for your requirements.

Migration from upstream

Already using terraform-aws-modules? Change only the source URL:

module "elasticache" {
  source  = "terraform-aws-modules/elasticache/aws"
  version = "1.0"
}

module "elasticache" {
  source  = "soc2.compliance.tf/terraform-aws-modules/elasticache/aws"
  version = "1.0"
}

Same arguments. Same outputs. Controls are checked at terraform plan. See the Migration Guide for step-by-step instructions.

Reversibility

No lock-in. Switch back by reverting the source URL:

module "elasticache" {
  source  = "terraform-aws-modules/elasticache/aws"
}

Run terraform init -upgrade. Terraform state is unchanged — same resource addresses, same provider, no compliance.tf-specific resources. Controls you already applied remain in AWS.

Mapped compliance frameworks

A.8.11 Data masking

A.8.14 Redundancy of information processing facilities

ElastiCache for Redis replication groups should have automatic failover enabled

A.8.24 Use of cryptography

ID.AM-08

ElastiCache Redis clusters should have automatic backups enabled with a retention period of 15 days or greater

PR.DS-1

PR.DS-2

ElastiCache for Redis replication groups should be encrypted in transit

PR.IP-4

ElastiCache Redis clusters should have automatic backups enabled with a retention period of 15 days or greater

RC.RP-1

ElastiCache Redis clusters should have automatic backups enabled with a retention period of 15 days or greater

10.3.3: Audit log files, including those for externalfacing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify

ElastiCache Redis clusters should have automatic backups enabled with a retention period of 15 days or greater

10.3.3: Audit logs are protected from destruction and unauthorized modifications.

ElastiCache Redis clusters should have automatic backups enabled with a retention period of 15 days or greater

2.2.7: System components are configured and managed securely.

ElastiCache for Redis replication groups should be encrypted in transit

3.5.1: Primary account number (PAN) is secured wherever it is stored.

4.2.1.1: An inventory of the entity's trusted keys and certificates used to protect PAN during transmission is maintained

ElastiCache for Redis replication groups should be encrypted in transit

4.2.1.1: PAN is protected with strong cryptography during transmission.

ElastiCache for Redis replication groups should be encrypted in transit

4.2.1: PAN is protected with strong cryptography during transmission.

ElastiCache for Redis replication groups should be encrypted in transit

8.3.2: Strong authentication for users and administrators is established and managed.

8.3.2: Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components

3 Incident handling

ElastiCache Redis clusters should have automatic backups enabled with a retention period of 15 days or greater

4 Business continuity and crisis management

ElastiCache Redis clusters should have automatic backups enabled with a retention period of 15 days or greater

9 Cryptography

ElastiCache for Redis replication groups should be encrypted in transit

A1.2 The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives

ElastiCache Redis clusters should have automatic backups enabled with a retention period of 15 days or greater

CC6.7 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives

ElastiCache for Redis replication groups should be encrypted in transit

ACSC-EE-ML3-8.3: Regular backups ML3

ElastiCache Redis clusters should have automatic backups enabled with a retention period of 15 days or greater

11.10(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records

ElastiCache Redis clusters should have automatic backups enabled with a retention period of 15 days or greater

11.4 Establish and Maintain an Isolated Instance of Recovery Data

ElastiCache Redis clusters should have automatic backups enabled with a retention period of 15 days or greater

Framework coverage

Which controls from this module are active under each framework endpoint.

Control	PCI DSS v4.0	SOC 2
ElastiCache Redis clusters should have automatic backups enabled with a retention period of 15 days or greater	●	●
ElastiCache for Redis replication groups should have automatic failover enabled	○	○
ElastiCache for Redis replication groups should be encrypted at rest	●	○
ElastiCache for Redis replication groups should be encrypted with CMK	●	○
ElastiCache for Redis replication groups should be encrypted in transit	●	●
ElastiCache for Redis replication groups before version 6.0 should use Redis Auth	○	○

● enforced by default · ○ not activated by this endpoint